Cloud Security
CNAPP, Kubernetes, SSPM, API security, secrets management, and the software supply chain.
Wiz, Orca and Prisma Cloud (now Cortex Cloud) compared for CNAPP in 2026. Agentless vs agent-based, real pricing, honest weaknesses, and which platform fits which buyer.
Kubernetes security platform comparison for 2026: Aqua Security, Sysdig Secure and Wiz Runtime Sensor. Admission control, runtime protection, and image scanning compared.
Software supply chain security in 2026: SBOM generation, SCA tooling, the SLSA framework, the EU CRA deadline, and why the XZ Utils backdoor changed open source assumptions.
Wiz, Orca, Prisma Cloud, and the platform consolidation that ate CSPM, CWPP, CIEM, and KSPM. Buyer guidance for the most contested procurement category in cloud security.
View all CNAPP articlesAqua, Sysdig, Falco, and the hardening, runtime detection, and admission-control patterns that actually reduce container incident risk.
View all Kubernetes articlesSSPM, OAuth hardening, and the control gaps that the Salesloft/Drift incidents put back on every CISO's desk.
View all SaaS Security articlesNoname, Salt, Traceable, and the realistic assessment of whether API security tools stop the attacks or detect them after they happen.
View all API Security articlesVault, AWS Secrets Manager, Doppler, and the enterprise rotation and workload-identity patterns that matter more than the tool choice.
View all Secrets Management articlesSBOM, SCA, SLSA, post-quantum readiness, and the long-tail controls that separate organisations with a supply chain programme from those that have a compliance checkbox.
View all Software Supply Chain articlesAWS Security Hub and GuardDuty, Azure Defender for Cloud, GCP Security Command Center — how the hyperscalers compare on native security tooling in 2026, and when to add a third-party CNAPP.
API security platform comparison for 2026: Noname (now Akamai), Salt Security, and Traceable (now Harness). Discovery, runtime protection, and what the market's consolidation means for buyers.
Post-quantum cryptography is no longer optional. A practical 2026 roadmap for enterprise PQC migration: crypto inventory, agility, NIST algorithms, and a realistic timeline.
Secrets management platform comparison: HashiCorp Vault, AWS Secrets Manager, and Doppler. Real 2026 pricing, the IBM acquisition fallout, rotation, and which fits which team.
Cloud security is the site’s secondary revenue engine and, increasingly, the category where the most interesting technical content lives. The CNAPP consolidation has not finished. The Kubernetes security tooling market is bifurcating between platform-embedded and best-of-breed. SaaS security has been quietly reshaped by the 2024-2025 OAuth incidents. The software supply chain category is moving from SBOM checkboxes to actual SLSA-level-3 enforcement. And secrets management is finally catching up to workload identity.
This is a technical category. Articles here are written for security engineers, platform engineers, and the CISOs who trust them, not for compliance-first buyers. Depth matters more than breadth. The comparison articles take positions on which vendors actually implement the architectures they describe, which are shipping reference architectures that work, and which ones are still selling pre-product roadmaps.
CNAPP is the largest sub-category and the one where the vendor landscape is shifting fastest. The Wiz vs Orca vs Prisma Cloud comparison is the anchor piece, with the AWS, Azure, and GCP native security comparison as the companion for buyers considering cloud-native alternatives.
Kubernetes covers hardening, runtime detection, admission control, and the realistic sequencing for organisations that are past the “cluster up” phase and into the “cluster safe at scale” phase.
SaaS security has been reshaped by the 2024-2025 incidents. Our SSPM coverage treats OAuth as the primary control plane rather than a footnote, and we are specific about what SSPM platforms actually detect versus what they claim.
API security is the sub-category where vendor marketing and reality diverge most widely. We have opinions on whether the Noname/Salt/Traceable tier actually stops attacks or mostly detects them after the fact, and we state them.
Secrets management covers the Vault / AWS Secrets Manager / Doppler tier, the enterprise rotation patterns that matter, and the workload-identity architectures that increasingly make traditional secrets management look like a legacy control.
Software supply chain covers SBOM, SCA, SLSA, package signing, and post-quantum cryptography readiness — which is moving from theory to planning faster than most organisations realise.
A few editorial positions that shape coverage in this category:
CNAPP has become the default procurement pattern, but the best-of-breed case is stronger than vendors want you to believe. For organisations with deep Kubernetes investment, the runtime detection gap in most CNAPP platforms is real. We flag it.
Cloud-native security services (AWS Security Hub, Azure Defender, GCP Security Command Center) have closed the gap with third-party CNAPP faster than the consulting narrative suggests. For single-cloud-heavy organisations, the total cost of ownership math increasingly favours native. We write the comparison that the CNAPP vendors will not.
SSPM without OAuth discipline is security theatre. Most SSPM platform pitches lead with posture scoring. The actual attack surface is OAuth application sprawl, third-party data access, and cross-tenant federation. We cover the thing, not the score.
API security tools are better at detection than at prevention, and that is fine as long as you are not sold the reverse. The API security comparison is specific about which controls each vendor actually implements.
Software supply chain programmes that start with SBOM generation usually stall. Programmes that start with build-system lockdown and signed artefacts usually succeed. We have a view on the sequencing.
This category cross-links heavily with Compliance (for SOC 2/ISO 27001 control mapping), with Tools (for EDR/XDR coverage in container and cloud workloads), and with AI Security (for the LLM gateway and agentic AI workload patterns that increasingly run inside the same infrastructure).